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Abstract. We extend our light Dialectica interpretation 1 10] to usual and light 
modal formulas and prove it sound for pseudo-modal arithmetics based on G6del's 
T and classical S4. The range of this light modal Dialectica interpretation is the 
usual (non-modal) classical Arithmetic in all hnite types. We also illustrate the 
use of the new tools for optimized program synthesis with new examples. 



This recent work comes in addition to the program extraction technology outlined 
in our previous paper iTTOl by adding a useful device for combining the effect of pre- 
vious optimizations by semi- and non-computational quantifiers in a compact one- 
step content eraser, namely the modal operator □ (and its weak co-modality 
O c = — 1 □ — 1) . Beside the seemingly cosmetic improvement, we bring the following new 
result: while the tnodal propositional axioms of system S4, are realizable, the dejining 
axiom 0/S5 is generally not realiiable under (light) modal Dialectica. 

The use and interpretation of modal operators in this paper were inspired by work of 
OHva (partly joint with the first author, see |9 |) at the linear logic sublevel, see 0141151 . 
It is no coincidence that, at formulas level, our interpretation of □ A is syntactically the 
same as OHva's modihed realizability interpretation of \A in intuitionistic linear logic. 
However, a bureaucratic detour would be needed in order to simulate UA in terms of 
\A, which seems less suitable for an efficient computer implementation. 

The second author independently noticed the possibility of using the same supra- 
linear modal operators for light program extraction in [ 18 1, see also [ 19 1. However, the 
initiative of studying the full employment of □ for more efficient program synthesis in 
the formal context of a classical hrst-order modal logic (in the sense of Schiitte, |16|) 
belongs to the first author. As we will see, for our extractive purposes it is useful to de- 
part from Schiitte's original semantics for quantified modal logic. E.g., the propositional 
fragments of our hrst-order modal systems are no longer modal, but purely boolean, as 
Up = p = <> c p for propositional atoms p. We thus design pseudo (i.e., non-standard) 
modal arithmetics for program extraction, with relative soundness syntactically given 
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via our (light) modal functional interpretation by the target system, namely classical 
predicate Arithmetic with higher-type functionals, in a Natural Deduction presentation. 

For an easier presentation we will give up the 'pseudo' prefix. Throughout the paper, 
our modal Arithmetics are pseudo-modal. For comparison, Schiitte's systems will be 
shortly presented in the extended variant of this paper. Note that soundness of Schiitte's 
predicate modal logics (e.g., S%) is proved non-constructively, using models, see lfl6l . 

1 Arithmetical systems for Modal Dialectica extraction 

We build upon functional arithmetical systems NA and (the light annotated) NA/ from 
iTTOll . While verifying system NA basically is the Arithmetic Z of Berger, Buchholz and 
Schwichtenberg [4| in a slightly different presentation which is more suitable for light 
functional synthesis and features full classical logic (without strong existence) and full 
extensionalit}0, its light counterpart NA; is only partly classical. Moreover, the input 
system NA; is weakly extensional and its contraction (and hence also induction) rule 
is restricted for soundness of the (light) functional interpretation of NA; into NA. In 
computing terms, the program synthesis algorithm pnwided by the light Dialectica (of 
1101 . as inherited from the on^] of [7 1) terminates without error only modulo the above- 
mentioned restrictions on Extensionality and Contractioifl 

For (light) modal functional synthesis we will use the same verifying system NA. 
The simpler input system NA m is obtained by adding □ to a restricted variant of NA. 
This modal Arithmetic will be proved sound via the modal Dialectica interpretation. 
The fully-fledged input system NA" 1 adds to NA m all light universal quantifiers and is 
a modal extension of NA;; its soundness will be given by the light modal Dialectica 
interpretation. We will not detail here the arithmetics NA and N A;, but rather refer the 
reader to [ 10 1. We mostly enumerate the new items that are added in order to get NA" 1 
and respectively N A m . (Systems NA and NA/ are retaken in the Appendix section\5\) 

The sets of finite types T, terms T (of G6del's T), formulas T (of NA) and, with 
the addition of □, formulas T m of NA m and T\ a of N A m are defined as follows: 
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3 As inherited from system Z, our NA is mostly a Natural Deduction presentation of the so- 
called 'negative arithmetic' from |20|, basically a double-negation, G6del-Gentzen embedding 
of classical into Heyting Arithmetic HA". 

4 The restriction on extensionality is at its turn inherited from the pure G6del's functional in- 
terpretation 1 1 6|, whereas the restriction on contraction was first added by Hernest, as it was 
imposed by the necessity of decidability of the translation of light contraction formulas. 

5 These restrictions are more relaxed than those from the first author's PhD thesis and weaker 
than G6del's restriction on extensionality, Kreisel's avoiding of contraction in his Moditied 
Realizability 1 12 1 and Girard's total elimination of contraction in his original Linear Logic [5 1. 
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Recall that we employ just two basic types: integers i and booleans o, and use par for 
(p(crr)). Building blocks for terms are the usual constructors for booleans (T,F) and 
integers (0, S), case distinction If and Godel recursion R. 

The operator FV(-) returns the set of free variables of its argument t G T or A e T . 
Atomic formulas are decidable by dehnition, as they are identihed with boolean terms. 
In particular, we have decidable falsity _L := at(F) and truth T := at(T). As usual, we 
abbreviate A — > _L by ^A. 

For the necessity operator □ we have the following enhanced introduction rule, 
which applies to many more premise sequents than usual (as the context r may be 
inhabited, see also Remark|4]in Section|2]for an extended motivation): 

r h A wnere T is restricted depending on the translation of the (sub)proof 

U 1 : , of the premise sequent, in ways that will be described below for 

r h DA eacn of the two proof translations: modal and light modal. 

The following axioms of modal propositional logic S4 are part of N A m and N A" 1 : 

AxT : OA A AxT° : A -> O c A 

Ax4 : UA -> UUA Ax4° : O c O c _4 -> O c _4 

AxK : [U(A -> B) A UA] -> UB 

In fact only AxT is needed as axiom of our non-standard modal systems. Of course, AxT° 
and Ax4° were syntactically deducible from AxT and respectively Ax4 already in the 
propositional modal system S±, only using minimal logic (the proof of Ax4° also uses 
AxK and the empty-context □*). It turns out that also Ax4 and AxK are easily deducible 
in NA"7NA m just from AxT (and only using minimal logic), given our very liberal 
necessity introduction rule, see Definition[3]below. Note that Stability -1-1B — > B needs 
to be restricted already for NA m , due to the necessary restriction on Contraction, see 
Remark[3]furtherbelow, Remark|5]in Section|2]and Section 3.1 of lfl0l . 

We denote by A — >k B := UA —> B the so-called 'Kreisel implication', since its 
translation by modal Dialectica coincides with its Modified Realizability interpretation. 

DeAnition 1 (modal Dialectica interpretation). The interpretation does not change 
atomic@formulas, i.e., |at(t°)| := at(.°). Assuming \ A\y and |_3|" are already defined, 

\AAB\Z$ := |A|;a|_9|» \v*A*)\i, v ■= \M*)\t' 

\A^B\l% ■= \A\% V ^\B\%* \UA\* ■= Vy\A\l 

As an immediate consequence, 

\<fA = (-.□-,_4)| / = 3_5|_4|^_. 
\A^ k B =(pA->B)\g tV = Vy\A\l -> |B|g- 

\3zA(z) = (^A(z))\ z g -f = ^\A(Zg)\ff Zg)[fg) 



' Any decidable formula can (and should) be given via its associated boolean term, e.g., one 
should rather use at(0dd(a;)) instead of the more verbose Vy(2y x), which is refutation 
relevant in a somewhat artihcial and probably unintended way. 



4 Hernest & Trifonov 



DeAnition 2 (light modal Dialectica interpretation). The following are added to the 
above (the deduced translation of 3$z is outlined below for use at the end of Section|2]): 

\y + zA(z)\f := Vz\A(z)\l* KzA(z)\l y := \A(z)F y 
\^zA(z)\l ■= Vz\A(z)\% \%zB(z)\f = Bz\B(z)\ f g f fg) 

Remark 1. The light modal translation of formulas only adds |Dt4.| !,! := Vy|v4.|* to our 
light functional translation from [ fOl - 

The dehnition of computation relevance of (light) modal formulas A is basically the 
same as for non-modal formulas, relative to the enhanced syntactic context. Namely, 
A is realization relevant also under (light) modal Dialectica if the tuple of witness 
variables x of its translation \A\ y is not empty and similarly A is refutation relevant 
if the tuple of challenge variables y is not empty. See Remark 1 in Section 3 of 1 10 1. 
Correspondingly, A is realization irrelevant if it is not realization relevant (i.e., x is an 
empty tuple), and A is refutation irrelevant if it is not refutation relevant (i.e., y is an 
empty tuple), see also the more technical Dehnition 1 in Section 2 of lfT0"l . 

DeAnition 3 (Necessity Introduction). The restriction on □* depends on programs 
synthesized from the proof of the premise A of this rule, unless all formulas in the 
context r are refutation irrelevant or A is refutation irrelevant, see the paragraph fol- 
lowing Theorem[TJin Section|2]below. Thus input proofs are inductively defined together 
with their extracted programs (and their corresponding output proofs). 

Remark2 (restriction violation for □*). In an automated interactive search for modal 
input proofs of a given specihcation, we can temporarily allow □* and postpone the 
validity check for when the proof of its premise is fully constructed. This approach 
would be similar to the 'nc-violations' check in the actual MinLog system, see lfT71 . 
and to the so-called 'computationally correct proofs' from IT9l . 

For efficiency reasons, we recommend the use of modal operators whenever pos- 
sible instead of the above partly (or non) computational quantifiers V+, V_, Vg and 3g. 
Thus it makes sense to study the (pure) modal Dialectica in itself, as the use of such 
light quantifiers may not be necessary in many cases of interest. It should be much eas- 
ier to construct a purely modal (i.e., without light quantifiers) input proof, also for a 
(semi) automated proof-search algorithm. Nevertheless, it is the light variant of modal 
Dialectica which provides the larger range of possibilities, particularly for situations 
where the simpler, 'heavier' modal Dialectica does not suffice. 

Remark 3 ( Contraction restriction). We upgrade the -A - restriction from lfT0l on the 
computationally relevant contractions (those on refutation relevant open assumptions 
A), such that the interpretation \A\ must be decidable (rather than strictly quantifier- 
free). In the new modal context one needs to take into account also the translation 
of the necessity operator, as this introduces new quantifiers. These may alter the de- 
cidability of the translated formula (relative to the corresponding non-modal formula 
obtained by wiping out all instances of □). E.g., let T(x,y, z) be a decidable predi- 
cate s.t. H(x, y) := 3zT(x, y, z) is not decidable (take Kleene's T predicate which is 
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expressible in Peano Arithmetic, hence also in NA, so that H expresses the Halting 
Problem "program with code x halts on input y"). Then P(x) := VyVz-iT(x, y, z) can 
be a contraction formula, whereas P a (x) := \/yD\/z^T(x, y, z) cannot, as its transla- 
tion is Vz-T(x, y, z), an undecidable formula, since NA h |P n (x)| a -o- -*H(x,y), 

Ontheotherhand,bothVz(3z ^ x) /\\/y(2y ^ x)andVz(3z ^ x) A D\/y(2y ^ x) 
can be contraction formulas, since \/y(2y ^ x) is decidable. 

2 Modal and light modal functional interpretations 

The following metatheorem gives the general pattern in which soundness theorems for 
Dialectica-based interpretations can be expressed, in a Natural Deduction setting. 

Theorem 1 (general soundness for Dialectica interpretations; [ ISys, VSys ]). 
Let Aq, Ai, . . . , A n be a seguence offormulas q/TSys with w all their free variables. 
If the seguent a\ : A\ , . . . , a n : A n h ; Aq is provable in ISys, then terms to, . . . , t n 
can be automatically synthesiied from its formal proof such that the translated se- 
quent a\ : \A\\^ , . . . ,a n : \A n \t™ h |^4o|x !i provable in VSys, where the following 
free variable condition (c) holds: FV(f^) C {w,Xo, . . . ,x n } and Xq $ FV(io). Here 
Xq, . . . ,x n are tuples offresh variables, s.t. equal avars share a common such tuple. 

In |UP I the above was thoroughly proved for ISys = NA; and VSys = NA. Below 
we prove that (meta)Theorem [T| remains valid also for the pairs [NA m , NA] (modal 
Dialectica) and [N A m , NA] (light modal Dialectica), which share the same VSys = N A. 

We can now complete the dehnition of the restriction is that Xo £ U" =1 FV(ti) 
in the translated premise sequent a\ : ^il^ 1 , . . . ,a n : |A n |*™ h |Ao|^ D . This ensures 
that the introduction rule V 1 can be applied for variables Xo and thus the conclusion 
sequent a-y :A\ , . . . , a n : A n h ; DAo is witnessed by the same realizers as the premise. 

Lemma 1 (interpretation of S4 modal axioms). Axioms AxT, AxT c , Ax4, Ax4 c and 
AxK are realizable in N A under the (light) tnodal Dialectica translation. 

Proof: The translation of AxT is \DA -> A\g = Vv\A\% -t \A\^ X and we can 
take g to be the identity \x. x. Similarly, the translation of AxT° is \A — >• 0> c A\f = 

l^-l/ajj/ — * 3tt|-i4|y and we can take / to be the projection Xxy. y. For Ax4 and Ax4 c it 
is immediate that \DA\ = \DDA\ and also \O c A\ = \<f <f A\, thus the realizer is again 
the identity in both cases. In the translation of AxK below, we take U:=Xf, g, x. gx, 
which can easily be proved to be a realizer. 

|AxK| = \Vx,v(\A\ x fxv -> \B\° X ) A Vy|A|*' ]'•»•»' W\B\% = 
= \^M\A\% V o \B\r) A Vy\A%' o W\B\ U J f ^ x,) \ u fgx , 

Given the above Lemma and comments, we have completely established the following: 
Theorem 2 (soundness of modal Dialectica). Theorem\J}\ NA m , NA ]. 
Theorem 3 (soundness of light modal Dialectica). Theorem\l\\ NA m , NA ]. 
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The next result pictures the limits of our modal extension of Dialectica interpretation. 

Theorem 4 (unrealizability of S5 demiing axiom). Axiom Ax5 : <fA — > DO°A is 

generally not realiiable under the (light) modal Dialectica translation. 

Proof: The translation of Ax5 is a formula of shape B(x) — >• VyB(y) which only 
holds true when x is the empty tuple, special case when Ax5 requires no realizer at all. 

Notice that O c 3xA is akin to Berger's uniform existence {3a?}A from [2|, where 
one does not care about the witness for 3x (which is actually deleted from the extrac- 
tion). We can thus see O c as an extension of Berger's tool to more general formulas 
than just existential ones. On the other hand there are situations when □ and O c are 
too general tools and separate annotations for each quantifier are a better answer for 
the problem at hand. In some of these cases it may still be possible to use the modal 
operators if one changes the input specihcation and its proof. 

Remark 4 (Necessity Introduction revisited). The usual restriction on the introduction 
rule for the necessity operator is that r = 0. In the natural deduction presentation 
of modal logic, □' cannot be unrestricted or A — > DA becomes a theorem, thus all 
occurrences of □ becoming redundant. Our restriction on □* is strictly weaker, as, e.g., 
allows any context r whose formulas are all refutation irrelevant and any context at all 
if the conclusion is refutation irrelevant. Thus, A —> DA not only is possible in our 
pseudo-modal systems, it even dehnes a very interesting class of formulas, see below. 

DeAnition 4 (necessary formulas). Formulas A s.t. h A — > DA in NA m or NA m . 

Also due to AxT, it follows that h A O DA for any necessary formula, thus placing 
□ in front of such A would be logically redundant. We say that an occurrence of □ is 
meaningful (i.e., non-redundant) in front of any formula that is not necessary. 

Note that all refutation irrelevant formulas are necessary formulas. It is easy to see 
that some of the refutation relevant formulas are necessary, e.g., Va;_L and \/xT (in fact 
any A s.t. h A or h -^A in NA m or NA m ). However, even if such formulas syntac- 
tically do require challengers, these functionals turn out to be redundant and can be 
soundly discarded by a □, without the need to change any other component of the input 
proof. In fact, aformula A is necessary iffit can be proved equivalent ( in N A m or N A m ) 
to a refutation irrelevant formula B. Indeed, for a necessary A take B := DA. For the 
converse we can use the long implication A — > B — > DB — > OA, where for the last 
implication a contextless together with AxK was used. 

Therefore, the 'necessary' class captures those formulas whose negative computa- 
tional content can always be erased regardless of the context in which they are used. 
On the other hand, there are cases when □ can soundly be applied to a non-necessary 
formula, leading to cleaner and more efficient extracted programs (see Section|3]below). 

Remark5 (modal vs. pseudo-modal). It would appear that our input Arithmetic NA m 
is able to prove new modal theorems and even sentences that are invalid in Schiitte's 
semantics. On the other hand, our -^r restriction on contraction is not present in the 
usual hrst-order modal logic systems, thus some of the classical modal theorems will 
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no longer be theorems of N A m . Therefore, we say that our input systems are 'pseudo- 
modal' rather than modal. See [ 13 1 for extensive comments on the design of formalisms 
for predicate modal logic, particularly on the yet-unsatisfactory dehnition of necessity 
introduction in Natural Deduction systems. Contraction restriction notwithstanding, we 
give the optimal restriction for □* in view of automated program synthesis. However, 
this does not solve the issue for general, fully-fiedged hrst-order modal logics. 

2.1 Modal induction rule 

As first argued in [9|, induction (for natural numbers, but more generally also for lists, 
as naturals l are a particular case of inductively dehned lists) should rather be treated 
in a Modihed Realizability style whenever possible under Dialectica extraction. In our 
non-standard modal context we can introduce the following modal induction rule of 
systems NA m and NA m , which is dehned with a Kreisel implication at the step: 

r h UA(0) UA V- UA(n) ->■ A(Sn) 

Ind" 

r, UA \- UA(n) 

This is an upgrade of the similar rule from [9[ (given at the linear logic sublevel, see 
also [ 15 1), as it allows for non-empty contexts. While the base context r is unrestricted, 
the step context UA is made entirely of refutation irrelevant assumptions of shape UD. 
Thus the step context restriction as for Ind; (see Appendix) is bluntly satished, since 
this only concerned refutation relevant assumptions (whose translations in NA had to 
be quantifier-free, as their decidability was needed for case distinction in their corre- 
sponding challenge realizers). Note that if D already is refutation irrelevant, placing □ 
in front of D is somewhat redundant. We could rehne Ind™ by splitting the step con- 
text into A 1 which consists of refutation irrelevant assumptions not of shape UD and 
A" = UA. Nonetheless such A' were made of necessary formulas (cf. Definition|4]i. 

The treatment of Ind™ under (light) modal Dialectica is much easier than the one of 
Ind;. In fact Ind™ is a good simplihcation of IndJ for situations when the whole context 
is made entirely of refutation irrelevant assumptions but A(n) is a refutation relevant 
formula. The challenger for A(n) in the step conclusion would be unneededly produced 
during the treatment of such Ind ; \ as it becomes no part of any of the witnesses for the 
conclusion sequent. Placing □ in front of the negatively positioned A(n) thus ensures a 
minimal optimization brought by Ind", in this particular case simply by elimination of 
redundancy: the conclusion witnessing terms are the same as for Indj. 

A more serious optimization concerns the challengers of |C| for refutation relevant 
assumptions C from the r context. These are simply preserved by Ind", while under 
Ind; they had to include the challengers for the step A(n). If A(n) were refutation 
irrelevant, it would still make sense to use Ind™ instead of Ind ; \ if one is not interested 
in the challengers for the refutation relevant assumptions from the step context. While 
for such particular Ind^ we already have the preservation of challengers for refutation 
relevant assumptions strictly from r, still challengers for the refutation relevant step 
assumptions are more complex in the conclusion sequent (they include a meaningful 
Godel recursion, even though here a challenger for the step negative A(n) is no longer 
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comprised since it does not exist). Thus Ind m can bring an improvement over IndJ by 
wiping out the step challengers altogether, should these not be needed in the global 
construction of the topmost realizers for the goal specihcation. 

It turns out that Ind m strictly optimizes Ind^ in many (if not most) situations. Yet 
IndJ will have to be used also in our non-standard modal context, practically whenever 
Ind m simply cannot be applied for the goal at hand. 

3 Examples 

The weak extensionality of modal input systems NA m and NA™ can better be expressed 
by means of the following modal compatibility axiom (the usual compatibility axiom, 
but with the outward implication changed to a Kreisel implication) 

CmpAx m : D(x = p y) -> A(x) -> A(y) 

By straightforward calculations, it is easy to see that CmpAx m is realizable under (light) 
modal Dialectica by simple projection functionals, with the verification in the fully 
extensional NA given by the corresponding compatibility axiom CmpAx, see flOl . 
In [9| the following class of examples was considered: theorems of the form 

\JxA -> VyB -> VzC (1) 

possibly with parameters, where the negative information on x is irrelevant, while the 
one on y is of our interest. Then it must be possible to adapt the proof of ([TJ to a proof in 
NA™ or NA™ of (D\fxA) -> MyB -> VzC. As noticed by 01iva in fl3), the Fibonacci 
example first treated with Dialectica in |8 1 falls into this category. 

OHva also suggested an interesting example, which motivated the definition of our 
positively computational quantifier V+ (see [ 10]): "Any infinite set P of natural numbers 
contains numbers which are arbitrarily apart". The claim can be formalized as follows: 

Vx3y(y > x A P(y)) -> VcBni,n 2 (ra 2 > m + d A P(n x ) A P(n 2 )) (2) 

This statement can be proved only via a contraction on the premise, and as a result x is 
refuted by a term involving case distinction on \P\. However, if only the witnesses of 
n\ and n 2 are needed, then the redundant challenge for x can be discarded by using a 
□ in front of the premise, effectively applying a Kreisel implication. This example is of 
the form flj and can be treated both with the hybrid Dialectica from [9| and with the 
extended light Dialectica interpretation from [ 10 1. 

The example can be extended so that the premise becomes more involved [ 19 1: 

Mm(3nQ(n, m) — > 3ni Q(n\,Sm)) -> 3n Q(n , 0) — > 3n 2 Q(n 2 , SSO) (3) 

Again, a contraction must be used, and two semi-computational quantifiers need to be 
applied to erase the negative computational content: 

V + m(3+n Q(n, m) -> 3n x Q(m,Sm)) -> 3n Q(n , 0) -> 3n 2 Q(n 2 , SSO) (4) 
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However, this solution is not desirable, as the light annotations would only apply to a 
special class of binary relations Q for which the witness n\ for Q(ni, Sm) does not 
depend computationally on the witness n for Q(n, m) for any m, hence reducing the 
generality of the claim. One of the solutions would be to extend the light annotations 
to implications as in Qp'|, however a much simpler and more elegant approach would 
be to use a Kreisel implication. The negative content of the premise will be fully erased 
and the positive one will be fully preserved, achieving a Modihed Realizability effect. 

We will consider another relevant case study, known as the "integer root example", 
which was suggested by Berger and Schwichtenberg in 0: "every unbounded integer 
function has an integer root function". The example can be formalized as follows: 



The claim can be proved by contradiction using induction on the formula f(ri) < m. 
However, in addition to computing the integer root, the (heavy) Dialectica also extracts 
a complicated recursive counterexample for x, with a case distinction on each step [ 19 1. 
This term challenges the outermost premise, which forms the refutation relevant induc- 
tion context shared by the base and the step formulas. The undesired negative content 
can be erased by a Rreisel implication, which converts the context to a necessary one, 
allowing the application of the modal induction rule. As a result, only the integer root 
is extracted, and additional artifacts are omitted. Note that, in contrast to the previous 
two examples, this proof is classical, so Modihed Realizability is not applicable in this 
case. However, using V+a; would still achieve the same cleaning effect [19|. 

4 Conclusions and future work 

Modal Dialectica provides the means of using both Modihed Realizability and G6del's 
Dialectica at the same time for more efficient program extraction. This was already the 
case for the hybrid Dialectica of [9 1, but here we eliminate the detour to the linear logic 
sublevel. Disregarding the light quantifiers, (pure) modal Dialectica represents (directly 
at the supra-linear logic level) a good combination of the original proof interpretations, 
with the possibility of carrying out both in a sound way on certain input proofs. All one 
needs is that some implications of the input proof can be seen as Rreisel implications. 

A natural continuation of the work reported in this paper concerns the addition 
to our input systems of strong (intuitionistic) elements. Besides the strong 3 and its 
light associated 3.0 (originally from [7| where it was denoted 3, see also lfl9l ). strong 
possibility O also needs to be considered as the intuitionistic dual of necessity □. 

The following clauses would then be added to Dehnition [T| for getting the strong 
modal Dialectica interpretation \3zA(z)\^jf := |A(z)|^ and |OA| y := 3a;|A|y, and 
further |30Zj4(z)|y := 3z\A(z)\y to Dehnition [2] in order to obtain the strong light 
modal Dialectica interpretation. 

Intuitionistic (light) modal arithmetical systems will first be considered at input for 
'strong' program synthesis. Then their enhanced classical counterparts will be inter- 
preted, modulo some negative translation. Such systems will soundly extend NA™ with 
O and 3, and N A™ also with 3$. Nevertheless certain restrictions may need to be applied 
on NA m and/or NA" 1 before attempting such extensions with intuitionistic elements. 




(5) 
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TAx : h at(T) CmpAx : h x = p y -> A(x) ->■ 



Table 1. Basic axioms, with CmpAx replaced by CMP rule in NA ; 



a:A^A (id) 

ThAAB 


r h a 



r,[a:A} h B 

r h a -> s 

z\ h ilAB 
4hB 



A e , 



rh A z\ h A^ B 
rh A AV B 



F,AVAl\B 



r h a 
r h vzA 

r h Vzyl 

r h A[t/z] 



Table 2. Logical rules, with z FV(.T) at V 1 and certain explicit contractions at =f and A' 



rv- x A 
r h,v±zA 
r h,v±zA 



v± 



_____ 

r h,v+zA 
r h,v+z^ 
FT~4~/~ 



_____ 

r h;V-ZA 

r h ; v_zA 
~~~~~ 



____ 

r h^zA 



V/7l 



v e 



r hh 



zA 



r^A[t/2 



Table 3. Additional rules for NA; , with extra restrictions on V+ , VI and V ! 



A,a:A,a:A\-B A, a:A, a:A h t B 

A,a:A\-B A, a-.A^B 



Table 4. Contraction anti-rules C for NA and (restricted) Ci for NA; 



r h A(T) A h A(F) 
r,AY- A(b) 



Ind 



r h A(0) A h A(n) A(Sn) 
r, A h >l(n) 



Ind. 



Table 5. Induction rules, with _T 1+) Z\ instead of T, A' and Z\ restricted at Ind t of NA; 
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5 Appendix 

We use a special Natural Deduction (abbreviated "ND") presentation of our systems, 
where proofs are represented as sequents r h B, meaning that formula B is the root of 
the ND tree whose leaves _T are typed assumption variables (abbreviated "avars") a : A . 
Here formula A is the type of the avar a , and r is a multiset (since there may be more 
leaves labeled with the same a : A). 

5.1 The verifying system NA 

The logical rules of system NA are presented in Table|2l with the usual restriction on 
universal quantifier introduction V J that 

z $ FV(r) := (j a:Aer FV(A) 

At — 9 , [a : A\ denotes the multisubset of all occurrences of a : A in the multiset of 
assumptions of the premise sequent of — 9 . Thus a: A T , hence a : A is no longer 
an assumption in the conclusion sequent of — 9 . In the ND tree, this means that all the 
leaves labeled a : A are inactivated (or "discharged" as one usually says in Natural 
Deduction terminology). 

Whereas in N A alone we could have safely let all contractions be handled implicitly 
at — in relationship with the architecture of input system NA; (see Section [5T2b we 
are compelled to introduce for NA the contraction anti-rule C in association with C/ 
of NA;, see Table|4] We refer to contraction as "anti-rule", rather than "rule" because, 
despite the sequent-like representation of our calculi, in fact our formalisms are ND 
and in the ND directed tree the representation of explicit contractions is by convergent 
arrows that go in the direction which is reverse to the direction of all the other rules. 

We find it convenient to introduce induction for booleans and naturals as the rules 
presented in Table |5J Here we assume that the induction variables b° and respectively 
n L do not occur freely in r , nor A , and that they do occur in the formula A . 

Computation in NA is expressed via the usual /?-reduction rule (Xx.t)s ■=> t[x => s], 
plus rewrite rules dehning the computational meaning of If and R : 

IfT st <-> s ROst ^ s 

IfF st <—} t R(Sn) st <-^ tn(Rnst) 

Since this typed term system is conduent and strongly normalizing (cf. lTT7l ). we are 
free not to fix a particular evaluation strategy. For simplicity, we assume that all terms 
occurring in proofs are automatically in normal form. In fact, normalization is necessary 
only when matching terms in formulas. We only avoid introducing equality axioms 
AxEQL as in (7j and skip the corresponding easy applications of CmpAx. When building 
proofs, some computation is thus carried out implicitly, behind the scene. 

Using recursion at higher types we can dehne any provably total function of ground 
arithmetic, including decidable predicates such as equality Eq Q for booleans and Eq t 
for natural numbers: 

Eq°°° := Ax.If x (Xy.y) (Ay.If yFT) 

Eq l t to := Xx.Rx (Xy.RyT (Xn,q°.F)) (Xm,p LO ,y.RyF (Xn,q°.pn)) 
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The at(-) constmction allows us to view boolean programs as decidable predicates. 
Given Ind , its logical meaning is settled by the truth axiom TAx, see Table [TJ In 
this way we can dehne predicate equality at base types as s = a t := at(Eq si) for 
a G {o, l} and furtherat highertypes extensionally as usual ,s = pT t :=Mx p (sx = T tx) . 
It is straightforward to prove by induction on p that = p is reflexive, symmetric and 
transitive at any type p. 

To complete our system, we must include in NA also the compatibility (i.e., exten- 
sionality) axiom CmpAx, see Table[TJ Note that ex falso quodlibet (EFQ) _L — > A and 
stability (Stab) -i—iA —> A are fully provable in NA (cf. 0171 . by induction on A, using 
TAx and Ind Q ). 



5.2 The input system NAj 

Light formulas Ti are built over usual formulas T of NA by adding the three light 
universal quantifiers: the non-computational yg and the two semi-computational V+ and 
V_ . In order to stress the distinction of N A; from N A it is convenient to rename NA's V 
to V± in N A; (which marks the whole computational content, both positive and negative) 

T A,B ::= at(t°) | A ->• B | A A B | V«a.M for o e {0, +, -, ±} 

Thus, system NA; refines the clone of NA (also with CMP for CmpAx and C/ for C) 
with introduction and elimination rules for the light quantifiers (see Table [3]). These 
are copies of the clone rules V| and Vj_ , but with the usual restriction (±) on VJ_ that 
z $ FV(_T) enhanced with the following conditions referring to the LD-interpretation 

(+) at the VI rule, z may be used computationally only positively, i.e., 
z must not be free in the challengers of the LD-translation of _T . 

(— ) at the VI rule, z may be used computationally only negatively, i.e., 
z must not be free in the witnesses of the LD-translation of A . 

(0) at Vg , z may not be used computationally at all, i.e., both (+) and (— ). 

Notice that the restrictions (+), (— ) and (0) assume knowledge of the LD-interpretation 
of whole proofs, in their full depth, thus forcing the definition of NA; proofs to go 
inductively in parallel with the LD-extraction of part of their computational content 
(namely free variables of the extracted terms). We simultaneously define the classes of 
realiiation irrelevant _4® and rejutation irrelevant Aq formulas as follows: 

A^^B® ::= at(t) | A e A B m \ A e -> B m \ V x_4 ffi for o e {0, +, -, +} 
A e ,B e ::= at(t) | A e A B e \ A e — s- B e \ V x_4 e foroe{0,+} 

One necessary change when adopting principles from NA is to replace CmpAx with 
a weak compatibility rule. This is because Dialectica is unable to interpret full exten- 
sionality (cf. [11 20]). We here employ an upgraded variant of the CMP rule from J7J : 

h x =pV 

CMP r 



r e ^B(x)^B(y) " 
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where all formulas in Zg are refutation irrelevant. 

The computationally irrelevant contractions in N A; can safely be handled implicitly 
at — > l . The situation is different for those contractions whose formula is refutation rel- 
evant (i.e., the computationally relevant contractions), as we want to automatically en- 
sure that their translation is decidable (instead of leaving the task of decidability check 
to the user). We achieve this by including in N A; the contraction anti-rule Ci (see Table 
3]i for all formulas A that are refutation relevant and (+) do not contain any V+, nor 
V0. This triggers the addition to NA of an explicit (unrestricted) contraction anti-rule C 
which is needed in the construction of the verifying proof (it only applies to quantifier- 
free formulas \A\). The restriction + ensures that all contraction formulas that require 
at least one challenger term for their LD-interpretation will have quantifier-free (hence 
decidable) LD-translations. Their decidability is necessary for attaining soundness. Be- 
ing a purely syntactical criterion, does not admit formulas whose LD-translations 
contain quantifiers, but could nevertheless be decidable, e.g., Ddd(a;) = Vy(2y ^ x) . 

Moreover, in order to avoid having any computationally relevant contractions im- 
plicit in — > l , we constrain the deduction rules o/NA; to disallow multiple occurrences 
of refutation relevant assumptions in any of the premise seguents. Thus, whenever a 
double occurrence of a refutation relevant assumption is created in a conclusion se- 
quent by one of the binary rules of NA; , such sequent cannot be directly a premise for 
the application of an(other) NA; rule: the anti-rule Ci must be applied rirst, in order to 
eliminate the critical double. If is not satished and yet a : A is a refutation relevant 
assumption occurring at least twice in some conclusion sequent, this is a dead end: such 
sequent can only be the root of the N A; proof-tree. 

While EFQ : _L — > A remains fully provable also in NA; (for all formulas A G J 7 ;) 
the situation changes for Stab : -1—1A — >• A in the case of many formulas A that feature 
light quantifiers in certain places. As noted in [7 1, the usual proof in NA of Stab (con- 
structed by induction on A) makes unavoidably use of contractions over — i(J5 A C) 
for subformulas (B A C) of A, and these are subject to the restriction for refutation 
relevant B A C. Even when such B A C obey -^, they may lead to the failure of re- 
strictions (+), (— ) or (0). On the other hand Stab is provable in NA; for A e T or A 
conjunction-free. 

5.3 The light Dialectica interpretation (LD-interpretation) 

With each formula A of N A; we associate its LD-translation: a not necessarily quantifier- 
free formula of NA where x, y are tuples of fresh variables, not appearing in A. 
The variables x in the superscript are called the witness variables, while the subscript 
variables y are called the challenge variables. Terms t substituting witness variables 
(like \A\y) are called realizing terms or "witnesses" and terms s substituting challenge 
variables (like \A\^) are called refuting terms or "challengers". Intuitively, the LD- 
interpretation of A can be viewed as a game in which first Eloise (3) and then Abelard 
(V) make one move each by playing type-corresponding objects t and s for the tuples 
x and respectively y . Formula \A\y specihes the "adjudication relation", here not nec- 
essarily decidable: Eloise wins iff NA h \A\* . In our light context as well, Eloise has 
a winning move whenever A is provable in NA; : the LD-interpretation will explicitly 
provide it from the input NA; proof of A as a tuple of witnesses t (s.t. FV(t) C FV(A)) 
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together with the verifying proof in NA of Vy |A|* (Eloise wins by f regardless of the 
instances s for AbelarcTs y). 

Dennition 5 (LD-translation of formulas). The interpretation does not change atomic 
formulas, i.e., |at(f°)| :=at(f°). Assuming \ A\y and \B\ V are already dehned, 

\AAB\ y $ := \A\%A\B\% 
\A^B\l% ■= \A\% v ^\B\°r • 

The interpretation of the four universal quantifiers is (upon renaming, we assume that 
quantified variables occur uniquely in a formula): 

\V±zA(z)\l y := \A(z)\t» \y+zA(z)\f := Vz\A(z)\t> 

\V-zA(z)\Z v := |V zA(z)|- := Vz|A(z)|* 

Since | _L | = _L , we get 

h4£ = haij. = ^<f /g) 

It is straightforward to compute that 

\3±zA(z)\%>f := -H^9)fe s) ( /S ) |3 + ^(z)|/ := 3z |A(z)|Jf (/fl) 
\B-zA(z)\?t := — |A(Zg)|^f /g) |3 zA(z)|/ := 3z |A(z)|^ /g) 

The length and types of the witnessing and challenging tuples are uniquely determined. 



5.4 Light Dialectica treatment of induction for naturals 

Since the induction rule (for naturals) corresponds to a virtually unbounded number of 
contractions of each assumption from the step context A (cf. 13, see Table[5]), its clone 
in the system N A/ is subject to a restriction like the one of Ci . Namely, we need to re- 
quire that all refutation relevant avars in A satisjy -Jc. Moreover, since the contractions 
on a e r n A will be handled differently than for simple binary rules like —f or A l , 
it is more convenient to require that naturals induction in NA; implicitly contracts all 
its refutation relevant assumptions (instead of using the explicit Ci) . We will use the 
notation r W A for a special multiset union in which refutation relevant assumptions 
appear only once, even if they appear in both r and A . Thus the Ind ; l rule of NA; is 
finally obtained by replacing T, A' with T W A' in the conclusion sequent of Ind, . 



r h, A(0) A h ; A(n) -4 A(Sn) 

Indt 

r W A hj A(n) 



We are given 

l^ [y] I- (6) 
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and 



We show that 



\A\ Z SWM V- \A(n)\? xv -» \A(Sn)\** (7) 



Vv(\rvA\$fi v -> \A(n)\«W) (8) 
is a theorem of NA, where 

t'[n] := Rnr(\n.s) (9) 

for every corresponding pair (r G r/s € s) and C[n] will be constructed as functional 
terms depending on u . We here intentionally use the same variable n that occurs freely 
in s and t. Implicitly, just t' denotes i'[n].Also C will be constructed as the collec- 
tion of all C' (corresponding to F\Z\)and C" (corresponding to A). 

Let 6 : B be a refutation relevant avar in .T l±l Z\ . Let 7' £7 and/or 5' G <5 be the 
challengers for b in T and/or Z\ . If b appears only in r (hence not in A ) we dehne 

C'[n] := Rn(\v.j'[v\) (\n,p,v.p(tt'v)) (10) 

If 6 appears in A, then the decidability of \B\ is needed at each recursive step to 
equalize the terms p(tt'v) obtained by the recursive call with the corresponding terms 
8' . Thus the right stop point of the backwards construction is provided. In fact an im- 
plicit contraction over b happens at each inductive step and + guarantees that \B\ is 
decidable. For b e Tn A let 

C"[n} := Rn(A«.7 / [»])(An,p,t;.If(|B|*; [t ,. t , ] )(p(tt / «))« / [t / ;t;]) (11) 

and for b G A \ r we dehne its C" [ n \ by replacing in (fTTT > the 7' with canonical 
zeros. Here z' are the challenge variables corresponding to formula B . Notice that 

h f'[Sn] = st'[n] (12) 
h C'[Sn]v = C'[n](tt'v) (13) 
h C"[Sn]t; = If(\B\*: [t ,. v] ) (C"[n](tt'v)) S'[t';v} (14) 

We attempt to extend (U~3b to the whole £ by proving from (fl4l i the following 

l S lc"[sn]« h <"[ s »]» = C // W(** / ») (15) 
We obtain this as an immediate consequence of 

\B\f» [8n]v I- \B\i WM (16) 

Assuming ^\B\^, [t , . v] by O we get C"[Sn]v = <5'[t';i>] hence [Sn]i) and 

thus (fl~6T > follows via Stab (which is fully available in the verifying system). 
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We now prove ((S) by an assumptionless induction on n . Let be the collection 
of all C' an d those Q" corresponding to _T n A . For n = it is sufficient that 

\r\ u C[0]v i- l^(o)l*' [0] 

which follows from (|6]l since by dehnition (0 we have h t' [0] = r and by dehni- 
tions ( TTOb and (fTTT > we have h C*[0] = Au.^u]. Now given © we want to prove 

|rwZ\|^ ]t , h \A(Sn)\ v ^ (17) 

To (O we apply ^f v ^ tt ' v] and via easy deductions in NA we get 

With dT3j and (Q~5]l wecanrewrite dTHJ to 

\rvA\«$ ]v h |A(n)|fW (19) 
In (0 we substitute x => t' [n] and get 

l^[t>] h l^(Sn)|f [nl 

which gives dTTb by means of easy NA deductions using (fT2l i. dT6b and (fT9l . 

We have treated the most general situation, with all context sets r \ A , I 1 n Zi 
and Z\ \ r inhabited by refutation relevant assumptions, and conclusion formula A 
accepting both witnesses and challengers. Many particular situations amount to easier 
treatments, with simpler extracted terms. These can be obtained as simplihcations of the 
general witnesses and challengers presented above, by means of the reduction properties 
of the empty tuple, which was denoted e in [ 17 1. We outline below only those particular 
cases which are relevant in connection with the modal induction rule Ind". 

- If r U A contains no refutation relevant assumption, but A(n) is refutation rele- 
vant, then terms t are no part of the realizers for the conclusion sequent, in this 
case only t' . Hence t would be redundantly produced and a mechanism is needed 
to prevent their construction. This is ensured by □ in front of the step A(n) at Ind". 

- If A(n) is refutation relevant, A has no refutation relevant element but _T is 
refutation relevant inhabited, then 6 and £" are empty. Yet = has to be 
produced as (TTOb and includes t[n] , which is no longer the case for Ind° . 

- If A(n) is refutation irrelevant then v, t and tt'v areempty tuples. Thus = 7' 
and dTTb simplihes to (recall n $ FV(j'), n 6 FV(i'), andpossibly n £ FV(5')) 

C"N = RnV (\n,p. If (\B\l, [tl] ) P 8'[t']) 
Modal induction rule - technical details 



r h DA(0) UA h UA(n) -> A(Sn) 
— — — - Ind" 1 

r, UA h UA(n) 
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We are given 

\r% h Vy\A(0)\l (20) 

and 

pA\' h Vy'\A(n)r y , -> \A(Sn)C 

Since v g" FV(|DZ\| Z ) and v £ FV(Vy' |A(n)|^,) from the latter we easily obtain 

|DZ\| Z h V|/'Kn)|^ -»• Vv\A(Sn)\ a v x (21) 

With f[n] := Knr (Xn.s) for every corresponding pair (r G r/s e s) we show by 
inductionon n in NA with base context |-T|™ and step context |nz\| z that 

|r|«, |DZV|* h W|A(n)|t W 

As i[0] = r the base is given by d20b and the step follows from (l2lT i with a; h-> t[n] 
since t[Sn] = s t\n\ . Thus challengers 7 are simply preserved for \r\ andwitnesses 
t\n\ are easily constructed for |D^4(n)| in the conclusion sequent of Ind". 

Remark 6. Our modal induction rule is equivalent to a special case of Ind t , since a □ 
can be placed in front of A(Sn) from the step sequent of Ind™ . The equivalence of the 
two formulations for the step sequent can easily be proved using AxT, Ax4, AxK and 
□ l . Extracted terms are the same and the verifying proof only gets more direct. 



